[user_7832]

Honestly I think this is a great idea. My only suggestion is instead of being very nominal, it should be "reasonable" (so $10 and not $1).

It's even possible to directly link this to maintainers/employees - if you can review 10 such AI/real things per hour (likely more if it's AI slop that's easy to detect), you're generating another revenue stream. Now, I have no idea if these guys are based in SF Bay or a 3rd world country with low COL but as an "add on", $100 an hour isn't too shabby (and can be on the "low end" if one's good at spotting AI crap.)

Side note, isn't it possible to have some way to verify if the "vulns" are actual vulns or not? ...Heck why not throw an LLM at it, powered by a single $10 submission fee?

[KronisLV]

Sounds like a startup idea to me! Admittedly, the friction and the fact that you have to pay would prevent a lot of legitimate people from participation which sucks.

AI is really throwing a wrench in the economics of software development, isn’t it?

[intrasight]

$10 or even $100 should create no such friction on a $1000 bounty.

[basilikum]

If I had to desposit 10$ to report a vulnerability to a company that could get their entire production/business to halt, I'd publish the exploit.

[user_7832]

Presumably you could do it just fine without paying if you didn't want the $1000 necessarily. Reasonably they'd still give you the $1000 even if you said "I don't want the money but you guys have a problem", and they later figure out you're not a bot and you're actually right.

[sgerenser]

I believe the company is based in SF, but the developers are all over the world, so $100/hr is probably in the ballpark. Interestingly one of the senior developers is working from prison so his costs are probably a bit lower: https://news.ycombinator.com/item?id=44288937